Search the VMware Knowledge Base (KB)
View by Article ID

Recreate vSphere 4.0 lockdown mode behavior in vSphere 4.1 (1017628)

  • 2 Ratings

Details

In vSphere 4.0, when you enable ESXi lockdown mode, all permissions for the root account on the local system are removed. You can then manage ESXi using vCenter Server. However, local accounts that are created on the host do not have their permissions removed, which makes it possible to manage the host locally with those accounts. 
 
In vSphere 4.1, when you enable lockdown mode, permissions are removed from all local accounts, and all management must be performed through vCenter Server.
 
If you prefer to use the vSphere 4.0 lockdown mode behavior in vSphere 4.1, choose one of the following three methods for recreating vSphere 4.0 lockdown mode behavior:
  • Use the VMware vSphere CLI to run the script vicfg-legacylockdown.pl against the host or against a vCenter Server system that is connected to one or more hosts.
  • Use the VMware vSphere PowerCLI to run the script Set-LegacyLockdownMode.ps1 against the host or against a vCenter Server system that is connected to one or more hosts.
  • Recreate vSphere 4.0 lockdown mode behavior manually.
Important: Do not enable lockdown mode using the vSphere Client or the Direct Console User Interface (DCUI). Using the vSphere Client or the DCUI to enable lockdown mode on a vSphere 4.1 host enables vSphere 4.1 lockdown mode behavior. This KB article describes how to recreate vSphere 4.0 lockdown mode behavior on a vSphere 4.1 host.

Solution

Method 1: Recreate vSphere 4.0 Lockdown Mode Behavior in vSphere 4.1 by Using the vSphere CLI

You can run the legacy lockdown script directly against one or more hosts or you can run the script against vCenter Server. 

Note: You must have the latest version of the VMware vSphere CLI installed to run vicfg-legacylockdown.pl.

To run the script directly against a host:

  1. Download the script, vicfg-legacylockdown.pl (attached).
  2. Run the script against one or more hosts.
  • To enable legacy lockdown mode, run vicfg-legacylockdown --server host1.com, host2.com --username <username> --password <password> --enable
    The script logs in using a non-root account with Administrator permissions and removes the root permissions.

Note: The vSphere Client and the DCUI continue to indicate that lockdown mode is disabled on the host. This refers to vSphere 4.1 lockdown mode. Legacy lockdown mode behavior is in effect until you disable it.

  • To disable legacy lockdown mode, run vicfg-legacylockdown --server host1.com, host2.com --username <username> --password <password> --disable

To run the script against a vCenter Server system that is connected to one or more hosts:

  1. Download the vicfg-legacylockdown.pl script, attached to this KB article.
  2. Run the script against the vCenter Server system that is connected to one or more hosts.
  • To enable legacy lockdown mode, run vicfg-legacylockdown --server vcserver.com --username <vcusername> --password <vcpassword> --vihost host1.com,host2.com --viadminuser <local admin username> --viadminpassword <local admin password> --enable
The script checks to see if vSphere 4.1 lockdown mode is enabled and if so, removes the host from lockdown mode. The script logs in to the host directly by using the credentials already provided, and if the login fails, then prompts for credentials. The script removes the host permissions.

Note: The vSphere Client and the DCUI continue to indicate that lockdown mode is disabled on the host. Legacy lockdown mode behavior is in effect until you disable it.

  • To disable legacy lockdown mode, run vicfg-legacylockdown --server vcserver.com --username <vcusername> --password <vcpassword> --vihost host1.com,host2.com --viadminuser <local admin username> --viadminpassword <local admin password> --disable

For detailed information about VMware vSphere CLI, including examples, see the vSphere Command-Line Interface Documentation page: http://www.vmware.com/support/developer/vcli/.

Method 2: Recreate vSphere 4.0 Lockdown Mode Behavior in vSphere 4.1 by Using the vSphere PowerCLI

You can run the legacy lockdown script directly against one or more hosts or you can run the script against vCenter Server. 

Note: You must have the latest version of the VMware vSphere PowerCLI installed to run Set-LegacyLockdownMode.ps1.

To run the script directly against a host:

  1. Download the script, Set-LegacyLockdownMode.ps1 (attached).
  2. Run the script against one or more hosts. For example, to enable and disable legacy lockdown mode:
  • To enable legacy lockdown mode, run .\Set-LegacyLockdownMode -Server host1.com, host2.com -Username <username> -Password <password> -Enable:$true
    The script logs in using a non-root account with Administrator permissions and removes the root permissions.

Note: The vSphere Client and the DCUI continue to indicate that lockdown mode is disabled on the host. Legacy lockdown mode behavior is in effect until you disable it.

  • To disable legacy lockdown mode, run .\Set-LegacyLockdownMode -Server host1.com, host2.com -Username <username> -Password <password> -Enable:$false

To run the script against a vCenter Server system that is connected to one or more hosts:

  1. Download the script, Set-LegacyLockdownMode.ps1 (attached).
  2. Run the script against the vCenter Server system that is connected to one or more hosts.
  • To enable legacy lockdown mode, run .\Set-LegacyLockdownMode -Server vcserver.com -Username <username> -Password <password> -VMHost host1, host2 -VMHostUsername <host admin username> -VMHostPassword <host admin password> -Enable:$true
The script checks to see if the host is in lockdown mode and if so, removes it from lockdown mode. The script logs into the host directly by using the credentials already provided, and if the login fails, prompts for credentials. The script removes the host permissions.
Note: The vSphere Client and the DCUI continue to indicate that lockdown mode is disabled on the host. This refers to vSphere 4.1 lockdown mode.

  • To disable legacy lockdown mode, run .\Set-LegacyLockdownMode -Server vcserver.com -Username <username> -Password <password> -VMHost host1.com, host2.com -VMHostUsername <host admin username> -VMHostPassword <host admin password> -Enable:$false
For detailed information about PowerCLI, including examples, see the VMware vSphere PowerCLI documentation page: http://www.vmware.com/support/developer/windowstoolkit/.

Method 3: Recreate vSphere 4.0 Lockdown Mode Behavior in vSphere 4.1 Manually

To manually recreate vSphere 4.0 lockdown mode behavior in vSphere 4.1:

  1. Assign Administrator permissions to the local users who are allowed to manage the host. If you have configured Active Directory, you can use an account from Active Directory instead of using a locally created account.
  2. Delete the permissions for the host's root user account. 
1. Assign Administrator permissions
  1. Use the vSphere Client to log in to the host as the root user.
  2. Select the host in the vSphere Client inventory and click the Permissions tab.
  3. Right-click inside the Permissions window and select Add Permission.
  4. Click Add and select the users to grant administrator rights from the list.
  5. Click Add and click OK.
  6. On the Assign Permissions dialog box, click the Assigned Role drop-down menu and select Administrator.
  7. Click OK.
  8. Close the vSphere Client to end your session.
The local user accounts you selected have Administrator permissions on the host.
 
2. Delete permissions for the host's root user account 
  1. Use the vSphere Client to log in to the host with the administrator account you created.
  2. Select the host in the vSphere Client inventory and click the Permissions tab.
  3. Right-click root in the list of users and groups and select Delete.
  4. Close the vSphere Client to end your session.
You can make sure the root user account is unable to manage the host by attempting to log in to the vSphere Client as root. If you are unable to log in, you have successfully locked out the root user while allowing other administrator accounts to manage the host.
 
If you want to grant root administration access again in the future, use the vSphere Client to log in to the host with the administrator account you created and follow the steps in To assign Administrator permissions to create a permission for the root user account.
 
Note: In vSphere 4.1, you can use host profiles to apply user permissions to multiple hosts at once. See the ESX/ESXi Configuration Guide for more information.

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 2 Ratings
Actions
KB: